Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description A high-level Python Web framework that encourages rapid development and clean design
Version 3.1-1 [testing]
3.0.9-1 [extra]


Group Affected Fixed Severity Status Ticket
AVG-1176 3.0.6-2 3.0.7-1 Medium Fixed
AVG-1111 3.0.3-1 3.0.4-1 Medium Fixed
AVG-1091 3.0.2-1 3.0.3-1 Medium Fixed
AVG-1080 2.2.6-1 2.2.9-1 High Fixed
AVG-1070 2.2.6-2 2.2.9-1 Low Fixed
AVG-1015 2.2.3-1 2.2.4-1 Medium Fixed
AVG-1000 2.2.2-1 2.2.3-1 High Fixed
AVG-969 2.2.1-1 2.2.2-1 Medium Fixed
AVG-881 2.1.5-1 2.1.6-1 Medium Fixed
AVG-839 2.1.4-1 2.1.5-1 Medium Fixed
AVG-773 2.1.1-1 2.1.2-1 Medium Fixed
AVG-743 2.0.7-2 2.0.8-1 Medium Fixed
AVG-649 1.11.10-1 1.11.11-1 Medium Fixed
AVG-624 1.11.8-1 1.11.10-1 Medium Fixed
AVG-233 1.10.3-2 1.11-1 Medium Fixed
AVG-57 1.10.2-1 1.10.3-1 High Fixed
AVG-35 1.9.9-1 1.10.1-1 Medium Fixed
Issue Group Severity Remote Type Description
CVE-2020-13596 AVG-1176 Medium Yes Cross-site scripting
A possible XSS has been found in Django before 3.0.7, via admin ForeignKeyRawIdWidget. Query parameters for the admin ForeignKeyRawIdWidget were not...
CVE-2020-13254 AVG-1176 Medium Yes Information disclosure
An information disclosure issue has been found in Django before 3.0.7, via malformed memcached keys. In cases where a memcached backend does not perform key...
CVE-2020-9402 AVG-1111 Medium Yes Sql injection
A potential SQL injection has been found in Django before 3.0.4, via tolerance parameter in GIS functions and aggregates on Oracle.
CVE-2020-7471 AVG-1091 Medium Yes Sql injection
django.contrib.postgres.aggregates.StringAgg aggregation function was subject to SQL injection, using a suitably crafted delimiter.
CVE-2019-19844 AVG-1080 High Yes Insufficient validation
Django's password-reset form uses a case-insensitive query to retrieve accounts matching the email address requesting the password reset. Because this...
CVE-2019-19118 AVG-1070 Low Yes Privilege escalation
A privilege escalation issue has been found in Django since 2.1 and before 2.2.8 or 2.1.15, where a user who lacks permission to edit a model should not be...
CVE-2019-14235 AVG-1015 Medium Yes Denial of service
If passed certain inputs, django.utils.encoding.uri_to_iri() could lead to significant memory usage due to excessive recursion when re- percent encoding...
CVE-2019-14234 AVG-1015 Medium Yes Sql injection
Key and index lookups for JSONField and key lookups for HStoreField were subject to SQL injection, using a suitably crafted dictionary, with dictionary...
CVE-2019-14233 AVG-1015 Medium Yes Denial of service
Due to the behavior of the underlying HTMLParser, django.utils.html.strip_tags() would be extremely slow to evaluate certain inputs containing large...
CVE-2019-14232 AVG-1015 Medium Yes Denial of service
If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods were passed the ``html=True`` argument, they were extremely slow to evaluate...
CVE-2019-12781 AVG-1000 High Yes Silent downgrade
An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via...
CVE-2019-12308 AVG-969 Medium Yes Cross-site scripting
The clickable "Current URL" link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated...
CVE-2019-11358 AVG-969 Medium Yes Cross-site scripting
jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable...
CVE-2019-6975 AVG-881 Medium Yes Denial of service
Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows uncontrolled memory consumption via a malicious attacker- supplied value to...
CVE-2019-3498 AVG-839 Medium Yes Content spoofing
A content spoofing issue has been found in django before 2.1.5 and 1.11.18, where an attacker could craft a malicious URL that could make spoofed content...
CVE-2018-16984 AVG-773 Medium Yes Information disclosure
If an admin user has the change permission to the user model, only part of the password hash is displayed in the change form. Admin users with the view (but...
CVE-2018-14574 AVG-743 Medium Yes Open redirect
If the django.middleware.common.CommonMiddleware and the APPEND_SLASH setting are both enabled, and if the project has a URL pattern that accepts any path...
CVE-2018-7537 AVG-649 Medium Yes Denial of service
If django.utils.text.Truncator’s chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to...
CVE-2018-7536 AVG-649 Medium Yes Denial of service
The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular...
CVE-2018-6188 AVG-624 Medium Yes Information disclosure
A regression in Django 1.11.8 and 1.11.9 before 1.11.10 and 2.0 before 2.0.2 made AuthenticationForm run its confirm_login_allowed() method even if an...
CVE-2017-7234 AVG-233 Medium Yes Open redirect
A maliciously crafted URL to a Django site using the serve() view could redirect to any other domain. The view no longer does any redirects as they don’t...
CVE-2017-7233 AVG-233 Medium Yes Cross-site scripting
Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an “on success” URL. The security check...
CVE-2016-9014 AVG-57 High Yes Access restriction bypass
Older versions of Django don't validate the Host header against settings.ALLOWED_HOSTS when settings.DEBUG=True. This makes them vulnerable to a DNS...
CVE-2016-9013 AVG-57 High Yes Authentication bypass
When running tests with an Oracle database, Django creates a temporary database user. In older versions, if a password isn't manually specified in the...
CVE-2016-7401 AVG-35 Medium Yes Cross-site request forgery
Sergey Bobrov found a vulnerability where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary...


Date Advisory Group Severity Description
06 Jun 2020 ASA-202006-8 AVG-1176 Medium multiple issues
08 Mar 2020 ASA-202003-5 AVG-1111 Medium sql injection
03 Feb 2020 ASA-202002-1 AVG-1091 Medium sql injection
05 Aug 2019 ASA-201908-2 AVG-1015 Medium multiple issues
06 Jul 2019 ASA-201907-2 AVG-1000 High silent downgrade
04 Jun 2019 ASA-201906-2 AVG-969 Medium cross-site scripting
12 Feb 2019 ASA-201902-14 AVG-881 Medium denial of service
11 Jan 2019 ASA-201901-6 AVG-839 Medium content spoofing
01 Oct 2018 ASA-201810-5 AVG-773 Medium information disclosure
01 Aug 2018 ASA-201808-1 AVG-743 Medium open redirect
06 Mar 2018 ASA-201803-5 AVG-649 Medium denial of service
06 Apr 2017 ASA-201704-2 AVG-233 Medium multiple issues
16 Nov 2016 ASA-201611-15 AVG-57 High multiple issues
21 Oct 2016 ASA-201610-13 AVG-35 Medium cross-site request forgery